Grok formatting for a custom timestamp
12,632
The timestamp you mentioned can be matched by Logstash with the TIMESTAMP_ISO8601 pattern.
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp_match}"]
}
}
You can test this at the Grok Debugger by entering 2015-03-13 00:23:37.616 and %{TIMESTAMP_ISO8601:timestamp_match}
You probably want to match into a different field name, but that's the basic idea.
Built-in patterns can be found in the Logstash documentation, or on GitHub.
Author by
pcproff
Front end designer interested in learning more backend procedures and dynamic languages.
Updated on June 04, 2022Comments
-
pcproff almost 2 years
2015-03-13 00:23:37.616I try using to use grok to format the following date format. I have tried:
SYSLOGTIMESTAMP, DATESTAMP_EVENTLOG, DATESTAMP_RFC2822
with no success. Can anyone shed some light?
-
pcproff about 9 yearsWhy does Grok Debugger give me all this additional info?
"YEAR": [ [ "2015" ] ], "MONTHNUM": [ [ "03" ] ], "MONTHDAY": [ [ "13" ] ], "HOUR": [ [ "00", null ] ], "MINUTE": [ [ "00", null ] ], "SECOND": [ [ "38.582" ] ], -
pcproff about 9 yearsI implemented this into my filter file and I did not get the extra attributes which is what matters. Thanks rutter.
-
rutter about 9 years@pcproff If you select "Named Captures Only", those should go away (that's the default behavior in grok, but not in the debugger). Those other matches are the subpatterns that make up
TIMESTAMP_ISO8601. Sometimes handy to see them when you're exploring, but otherwise they can be noisy.
